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Abstract: In recent years, wireless sensor networks (WSNs) have been considered as a 
potential solution for real-time monitoring applications and these WSNs have potential 
practical impact on next generation technology too. However, WSNs could become a 
threat if suitable security is not considered before the deployment and if there are any 
loopholes in their security, which might open the door for an attacker and hence, endanger 
the application. User authentication is one of the most important security services to 
protect WSN data access from unauthorized users; it should provide both mutual 
authentication and session key establishment services. This paper proposes a robust user 
authentication framework for wireless sensor networks, based on a two-factor (password 
and smart card) concept. This scheme facilitates many services to the users such as user 
anonymity, mutual authentication, secure session key establishment and it allows users to 
choose/update their password regularly, whenever needed. Furthermore, we have provided 
the formal verification using Rubin logic and compare RUASN with many existing 
schemes. As a result, we found that the proposed scheme possesses many advantages 
against popular attacks, and achieves better efficiency at low computation cost. 
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1. Introduction 

Wireless sensor networks (WSNs) are becoming more and more popular in everyday life as they 
offer economically viable, real time monitoring solutions. These wireless sensors can be quickly and 
easily deployed in hostile environments, and WSNs are now widely used in a variety of real-time 
applications, such as vehicular tracking, habitat monitoring, environment control, military surveillance, 
healthcare monitoring, wildlife monitoring and traffic monitoring. One recent survey declared that, in 
the near future, WSNs will become an intelligent and integral part of daily lives [1]. 

A WSN consists of a discrete group of independent, low cost, low power nodes with limited 
memory and computation power. They communicate wirelessly over limited frequency and low 
bandwidth [1]. More specifically, sensor nodes collectively monitor the area and sense substantial 
amounts of data, which are transmitted to the base- station traversing some nodes via RF signals and 
routing schemes. 

As sensor nodes are resource constrained devices and are often deployed in a hostile environment and 
have to sense the information properly and efficiently. So the potential deployment of WSNs for any 
real-time applications has to deal with many challenges, including security, system architecture and 
protocol functionalities. Providing security to these resource hungry sensor networks is a very tedious task 
as compared to conventional networks, such as local area networks (LANs) and wide area networks 
(WANs). Consequently, providing suitable security has emerged as one of the critical issue in wireless 
sensor networks, and the state-of-art should therefore pay attention to how to deploy user-friendly, reliable 
and secure WSNs. 

In real-time WSNs, sensor data queries are commonly issued from the base- station nodes or the 
backend application system. Moreover, these sensor networks can be accessed from anywhere in 
an ad-hoc manner. As sensor nodes provide services to users by themselves, it is necessary to control 
who is accessing the information and whether the intended user is authenticated to do so. Therefore, 
access control is a core requirement for WSNs to protect the data from access by unauthorized parties. 
In general user authentication where each user must verify their legitimacy is considered as one of the 
basic solutions for the access control issue. 

So far, a number of significant schemes that provide adequate security for wireless sensor networks 
at the link layer [2-6] and the network layer [7] have been proposed. However, secure user 
authentication at the application layer has not been addressed effectively in order to prevent illegal 
access to sensor data. A review of current literature on WSNs reveals that only a few user 
authentication schemes have been adequately addressed [8-22] at the application layer. In [8-14], 
protocols are based on traditional passwords, where secrets are stored at the base station or the 
gateway. While, the protocols presented in [18-21] are based on two-factor user authentication with 
limited functionality (e.g., no mutual authentication, no secure session key, and no confidentiality) at 
high computation cost. Therefore, one of the primary concerns in wireless sensor network applications 
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is the design and development of a robust user authentication scheme which is suitable for hostile or 
unattended environments. 

In this paper, we have considered the above challenges and present a robust user authentication 
framework for wireless sensor networks (RUASN) at the application layer, which uses the two factor 
approach. The first factor (something you know) refers to something that is known by the user, such 
as a password, while the second factor (something you have) refers that something that is embedded 
on a device, such as smart cards, software tokens, digital certificates or biometric identifiers 
(e.g., fingerprint scans and so on) [23]. 

The proposed RUASN framework achieves user authentication (access control) for wireless sensor 
networks, where a user must login with same identity. The proposed scheme is resists many popular 
attacks, such as replay attack, impersonation attack, insider attack, stolen- verifier attack, password 
guessing attack, and man-in-the-middle attack. RUASN provides user privacy protection (i.e., user 
anonymity), mutual authentication, and secure session key establishment. In addition, a user can update 
his/her password whenever demanded. Our framework uses one-way hash functions along with XOR 
operations to attain low computational overheads. Moreover, this paper further demonstrated the analysis 
and verification of the proposed protocol using Rubin Logic [24], which is very close to actual 
implementation. 

The rest of the paper is structured as follows: Section 2 briefly reviews the related literature and the 
perceived weaknesses of existing schemes. In Section 3 we discuss the design goals, security 
requirements and system architecture of RUASN. In Section 4, we propose a robust two-factor user 
authentication framework in detail. Section 5 discusses the nonmonotonic cryptographic protocol and 
formal verification of proposed protocol using Rubin Logic. Section 6 discusses the security analysis, 
efficiency evaluation and comparison with existing schemes for wireless sensor networks. Finally, 
Section 7 conclusions are drawn for RUASN. 

2. Literature Review 

In this section, we will discuss the literature on user authentication schemes that have been recently 
proposed to verify the legitimacy of wireless sensor networks users. 

Benenson et al. [8] first described several security issues in WSNs, especially the access control 
problem, and proposed the notion of ^-authentication, where users can successfully authenticate with 
at least (n-t) of n-sensors, where t is the number of sensor nodes that the adversary can compromise. 
Subsequently, Benenson et al. [9] proposed another solution for the user authentication problem in the 
face of node capture attacks. The proposed scheme is based on public key cryptography (PKC) and 
elliptic curve cryptography (ECC). Some major weaknesses were pointed out in the Benenson et al. 
scheme, such as the fact that impersonation attacks or denial-of-service (DoS) attacks could be 
mounted by sending many bogus signatures during the authentication phase [10]. Moreover, the 
computation cost of PKC and ECC is very high for sensor networks. 

Wong et al. [10] proposed a dynamic user authentication scheme for wireless sensor networks, 
which is based on passwords. This scheme imposes a very light computation cost that requires only 
one-way hash functions and simple XOR operations. The scheme consists of three phases: 
registration phase, login and authentication phase. Unfortunately, the Wong et al. scheme is 
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vulnerable to many attacks such as replay attacks, forgery attacks, stolen -verifier attacks and 
password guessing attacks [11,12,14,18]. 

Vaidya et al. [14] pointed out some weaknesses of the Tseng et al. [1 1], Wong et al. [10] and Ko [14] 
schemes such as replay of account-login attacks, man-in-the-middle (MITM) attacks, forgery attacks and 
stolen-verifier attack with node capture attacks. They proposed two user authentication schemes for 
wireless sensor networks, which are based on traditional password schemes and claimed that their 
proposed scheme provides better security features as compared to the Wong et al, Tseng et al. and 
Ko et al. schemes. 

Recently, Das [18] pointed out some security flaws in Wong et al. [10] scheme, such as the fact this 
scheme is vulnerable to many logged in users with the same login-id threat and also susceptible to 
stolen-verifier attacks. Das [18] proposed a two-factor user authentication for wireless sensor 
networks, where the legitimate users must prove the possession of both a password and a smart card. 
Das [18] claimed that his scheme is secure against many types of attacks (e.g., user authentication, 
replay, guessing, impersonation, node compromise, and stolen-verifier attacks). 

Nyang and Lee [19] noted that Das' scheme is not practical and is vulnerable to an offline password 
guessing attack by insiders, node compromise attacks and does not care about other security issues, 
i.e., encryption and authenticity verification of query responses. Consequently they proposed an 
enhanced two-factor user authentication protocol for WSNs, which overcome the Das scheme's 
security flaws with some additional security services such as confidentiality and authenticity of user 
query responses. However, their scheme also does not care about mutual authentication and there is no 
provision for password updates. 

Khan and Alghathbar [20] pointed out that the Das et al. [18] scheme is still not secure and cannot 
resist many other security attacks, such as gateway-node bypass attacks, and it is vulnerable to insider 
attacks, as well as not facilitating mutual authentication between the gateway and the sensor nodes and 
there is no provision for users to change their passwords. Khan and Alghathbar [20] overcome the 
security weaknesses of Das' scheme and proposed an improved two-factor user authentication in 
WSNs, which provides protection against insider attacks, gateway bypass attacks and introduced a 
password change phase for users. They suggested two secret (X a and X s ) values to be used to overcome 
the gateway-bypass attacks. For example, X a is used between the user and the gateway, and X s is used 
between the gateway and the sensor nodes. Furthermore, to overcome the room for insider attack, they 
passed hashed passwords instead of plain passwords. Their scheme also does not however provide 
mutual authentication between the user and the gateway. 

More recently, He et al. [21] have shown that Das' protocol is susceptible to insider attacks, 
impersonation attacks and also found design weaknesses (i.e., concerning real identity of user). Later, 
they proposed an enhanced two-factor user authentication scheme for WSNs that facilitates user 
anonymity, protection against insider attacks and allows users to change their passwords. Their scheme 
does not care about mutual authentication between all parties (i.e., user, gateway and sensor). Moreover, 
the communication cost is quite high as compared with other schemes (see [10-14,18-20]). 

As we have seen above, a number of user authentication schemes have been proposed in order to 
authenticate user legitimacy for sensor networks. These schemes are not designed properly [10-14] 
(i.e., stored secrets at the gateway) and in [18-21] they do not provide essential services to the users. 
Consequently, we conclude that the above schemes have many security flaws and provide less security 
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services. Thus, these security weaknesses and constrained nature of sensor nodes motivated us to 
design a robust user authentication framework that provides adequate security and provides users with 
many services, as discussed in the next section. 

3. Design Goals, Security Requirements and System Architecture 

In this section, we discuss the design goals, security requirements and system architecture for robust 
user authentication for wireless sensor networks. 

3.1. Design Goals and Security Requirements 

RUASN provides transparent security service for wireless sensor networks. In this paper another 
goal is to design a simple and user-friendly framework, which will be suitable for real-time WSNs 
applications. Overall, RUASN is designed with the following characteristics: 

Proper user authentication: A user must prove his/her authenticity, so that only authentic users can 
access the WSN data. 

Mutual authentication: Every entity (user, gateway and sensor) must be mutually authenticated; 
hence they can ensure the communication is only taking place between authentic entities. 

User anonymity: Since all the messages are broadcasted wirelessly, which means that an attacker 
may simply eavesdrop on the messages and could breach the privacy of a user, thus, the scheme 
must provide user anonymity. 

Session key establishment: A session key should be established between a user and sensor node, so 
that subsequent communication could take place securely. 

Confidentiality: It is desirable that a user authentication protocol facilitate confidentiality of 
messages; as a result, these confidential messages can only be used by authorized users. 

Password update: A password based user authentication scheme should provide users a password 
update facility so that a user can update his/her password freely. 

Low communication and computational cost: Since sensor nodes are resource constrained devices 
(e.g., MicaZ [25], and Telosb [26]) and, in general, application functions also need room for 
executing their tasks. So, the scheme must be efficient in terms of communication and 
computational cost. 

Robust against popular attacks: Clearly, the scheme should defend against different popular 
attacks, such as replay, impersonation, insider, stolen-verifier, password guessing, and man-in-the- 
middle attacks. As a result, the scheme should be easily applicable to real-world applications. 

User-Friendliness: The system architecture should be easy to deploy for the WSN applications as 
well as user-friendly for non-advanced users so users can update his/her password securely 
according to their will. 

Reliability: From the security point of view, the gateway needs to check the validity of the users 
and the sensor nodes, so that reliable communication can be established between all the parties. 
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Moreover, Liao et al. [27] identified some security requirements to evaluate a smart card and 
password based authentication protocol. Their requirements solve most of the problems in smart card 
oriented schemes. As sensor networks are resource constrained devices, WSN could adopt Liao et al. 
requirements, which are listed below: 

• The password tables should not be stored inside the gateway. 

• Verification table should not be stored inside the gateway. 

• The password should not be transmitted as plain text over the public network. 

• Schemes should resist insider- attacks. 

• Password length should be sufficient. 

• The password is not exposed by the gateway administrator. 

• Scheme should resist offline password guessing attacks. 

3.2. System Architecture 

Wireless sensor networks consist of a number N of low-cost sensor devices, which are scattered in a 
hostile environment. These sensors sense the environmental information, (e.g., humidity, pressure, and 
temperature) and transmit information to the users for further analysis. A user can access real-time 
WSN data using their mobile devices (e.g., laptop, PDA or smart-phone) through wireless 
communication. WSN data could be easily accessible from anywhere in ad-hoc manner. In real-time 
environment it is obvious that the gateway nodes and the users are able to access the sensor data 
directly. The basic system architecture is shown in Figure 1, where a user directly request to the sensor 
node, upon receiving user request sensor node first verify user authenticity through the gateway node. 



Figure 1. The basic system architecture for RUASN 
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After confirmation of the user's legitimacy he/she can access the real-time sensor data. 
Furthermore, the gateway node provides a middle ground between the users and the sensor network. 

4. RUASN: Robust User Authentication for Wireless Sensor Network 

To solve the potential problems of user authentication for WSNs, we propose RUASN which 
ensures WSN data are only accessed by legitimate users. Thus, before issuing a query to a sensor node, 
each user must register with the gateway in a secure manner so that they can access the real time 
sensors' data. Upon the successful user registration request, the gateway node personalizes a smart 
card for every registered user, as shown in Figure 1. Then, a user can submit his/her query in an 
authentic way and access the sensor network data at any time within an administratively configurable 
period [10]. 

In order to execute the proposed framework, we considered that the gateway is a trusted node and it 
hold two master keys (x and y), which are sufficiently large for the sensor network. Before starting the 
system, it is assumed that the gateway and the sensor nodes share a long-term common secret key, i.e., 
SK gs = h{Sn\\y) using any key agreement protocol. For example, [4] demonstrated that, with the careful 
design, D-H key agreement protocol [28] and RSA public key cryptosystem [29] can be easily 
deployed on most constrained devices. Here, h{.) is a collision free one-way hash function (i.e., SHA- 
1), which has an output length of 160-bits [30] and is used throughout this paper. It is assumed that 
some identical secure symmetric cryptosystems are publically available and stored on the user device, 
on the gateway and the sensor node. As a result only the users registered with the gateway have access 
privileges to the sensors, which share a long-term secret with the gateway. The framework is divided 
into four phases, namely, user registration phase, login phase, authentication phase and password 
update phase. For convenience Table 1 provides a list of some notations and symbols will be used 
throughout the rest of paper. 



Table 1. Notation and symbols used in the paper. 



Notation 



Descriptions 



GWnode 



WSN gateway node 
User to be login 
Login_ID of Uic 
Password of U k 
Gateway master keys 
Arbitrary random number selected by user 
Random number generated by the GW node 
Message m is encrypted with symmetric key 
Message m is decrypted with symmetric key 
Message authentication code over message m with secret key 
Sensor Node ID 

Secret parameter generated by the user U k 
Cryptographic hash function 
Bitwise XOR operation 
Concatenation operation 



U k 

ID k 

PW k 



x andy 



r 



E key [m] 
D key [m] 

MAC_ key (m) [31] 



K) 

0 

II 
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4.1. Registration Phase (RP) 

In the registration phase, initially, each user must register with the GW node. A user Uk chooses 
his/her identity (ID k ). Now user U k chooses password (PWk) and selects an arbitrary random number r 
which should be sufficiently large and computes h(r (DPWk). The IDk and PWk should include uppercase, 
lower case characters and 0-9 numeric characters [32]. Afterward, the user submits a registration request 
to the GW node over a secure channel. Upon receiving the U k registration request, the GW node 
computes: 

1. Ak=h(ID k @l) 

2. B k = EJIDtUl] 

3. V k = h(ID k \\h(r®PW k )) 



Thereafter, the GW node personalizes a smart card for the user with the parameters 
(Ak, Bk, Vk, h(.), Ek[.],Dk[.]J. Here, / is random number which is generated by the GW node and x is 
the gateway secret key and h(.) is a collision free one-way function, e.g., SHA-1 [30]. Subsequently, 
user Uk enters r into his/her smart card, by doing so, user U k need not memorize the arbitrary random 
number. Now the smart card contains {A k , B k , Vk, h(.), E k [.], D k [.], rj. This step completes the 
registration phase and the process flow is shown in Figure 2. 

Figure 2. Flow of registration phase. 



] User | 



Gateway 



Choose IDk, PWk and r 
h(r@PWk) 

ID k & h(r®PW k ) 



• generate random number / 

• A k = h{lD k @ 0,and B k = E x [ID k \ \l] 

• V k =h(ID k \\h(r®PWk)) 

Gateway node personalized a smart 
card to user { A k , B k , V k , h(.\ E k [.], D k [.]} 
{Smart card} 



Upon receiving the smart card, the user stores the random number r into the 
smart card; now smart card have [Ak,Bk, Vk, h(.), h(.), E k [.], Dk[.], r} 



4.2. Login Phase (LP) 



This phase is invoked whenever a user U k wants to submit his/her query to access the sensor, every 
time he/she has to complete the login phase. Figure 3 shows both the login phase and the 
authentication phase. The user Uk inserts his/her smart card into the terminal and inputs his ID k and 
PW k . 
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Figure 3. Flow of login and authentication phases. 



| User | 



GW 



Sensor 



• V k * = h(ID k \ \h(r@PW k )) and verify V k * = V k , if not, then reject the login request. 

• H k - h(A k ), and generate Xg 

• AID k = E TkTu [h(ID k )\\Sn\\Xg], here, Tk Tu = (Tu\\H k ) 

• Ml= <B k ,AID k ,Tu> 



Ml 



• (Ts - Tu) > AT, if yes, then abort 

• M2 = <B k , AlD k , Tu, Ts, Sn>, 

• Q = MAC_ SKgs (B k \ \AID k \ \Tu\\ TsWSn). 

<M2,Q> 



• (Tg - Ts) > AT, if yes, then abort 

• Q' = MAC_ SKgs {M2) and verify Q' = Q, if not, then abort 

• Obtain ID k and /' from B k 

• h{ID k \ A k = h(lD k '@ 0, and H k ' = hlAfi 

• Tk Tu = ( Tu II and 

• Obtains (h(ID k *)\\Sn*\\X g ) from AID k 

• Verify: /i(/D^ = h(ID k *) and Sn = Sn*, if not, then abort 

• M3 = <Tg, C>, here C = E SKgs [h(ID k )\\X g \\Tg] 



M3 

► 

(Ts - Tg) > AT, if yes, then abort 
Obtains [h(ID k )\\X g \\Tg*] from C 
Verify: Tg = Tg*, if not, then abort 
Ses K = h(h(ID k ) \\X g \\Sn\\Ts\\Tu) 
M4 = <L, Ts>, 

hereL = E SesK [X„\\Ts] 




• (Tu - Ts) > AT, if yes, then abort 

• Ses K = h(h(ID k ) \\X g \\Sn\\Ts\\Tu) 

• Obtains [X g *\\Ts*] from L 

• Verify: Xg - Xg* and Ts - Ts*, if not, then abort 



As a result, he/she believes that the sensor node Sn is authentic, otherwise not. 
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Now, the smart card performs the following operations: 
(LP-1). Compute: V k * = h(ID k \\h(r@PW k )). 

(LP-2). Check whether V k * and V k are equal or not. If not, then reject the login request, otherwise, the 
user is a legal user and go to the next step. 

(LP-3). Compute: H k = h(A k ). 

(LP-4). Compute: AID k = E Tk Tu[h(ID k )\\Sn\\X g ]; here, Tk Tu = (Tu\\H k ) is short-term key and Sn is the 
sensor node, which the user U k wants to access. Here, X g is a secret random number generated by the 
user U k at login time, which is helpful to generate the session key between the user and the sensor node. 
Tu is denoting the current timestamp of U k s system, which resist replay attacks. 

(LP-5). Send the login message Ml = < B k , AID k , Tu > to the sensor node. 

Now, this is the end of login phase and the user login request message <M1> is send to the sensor 
node over a public channel. 

4.3. Authentication Phase (AP) 

The authentication phase is invoked when a sensor node receives the user login request message 
<M1> at time Ts. The sensor node authenticates users' requests by the following steps: 

(AP-1). The sensor node, Sn validates the Tu: Check, if (Ts-Tu) > AT, if yes, then Sn reject this 
request and terminates the process. Otherwise, it continues with the next step. Here, Ts is the current 
timestamp of Sn and AT is the defined time interval for the transmission delay. 

(AP-2). Now Sn generates message M2 = <B k , AID k , Tu, Ts, Sn> and Q. Thereafter, Sn sends <M2, Q> 
to the GW node over public network. Here, a message authentication code (MAC) [3,33] is computed on 
the message M2 (i.e., Q = MAC ^ Kgs ((B k \\AID k \\Tu\\Ts\\Sri))) for the integrity verification by the GW 
node. 

(AP-3). Upon receiving the message M2 and Q from the sensor node, the GW node performs 
the following actions: 

1. The GW node validates the time Ts: Check if (Tg—Ts) > AT, if yes, then the GW node rejects this 
request and terminates the process, otherwise, it continues with the next step. Here, Tg is the 
current timestamp of the GWnode and AT is the defined time interval for the transmission delay. 

2. The GW node computes Q' on the message M2 using long-term secret key SK gs and verifies 
Q' = Q, if yes, then the GW node considers that this is an original message and proceeds to the 
next step, otherwise, it rejects the request and terminates further operations. 

3. The GW node decrypts B k using secret key x and obtains ID k and /' of U k . Now, the GW node 
computes h(IDk), A k = h(TD k @ l 1 ) and H k = h(A k r ). Subsequently, the GW node generates a 
temporary key Tk T u (Tu\\H k f ). After that, the GW node decrypts the sub-message AID k by using 
the Tk Tu and obtains [h(ID k *)\\Sn*\\X g ]. Afterwards, the GW node compares h(IDk) with 
h(ID k *), if this check is successful then the user is a legal user. Here, h(ID k *) is sub-message of 
AID k . At the same time, the GW node verifies whether Sn is equal to Sn*, which is included in 
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sub-message of AIDt and if yes, then the GW node considers that Sn is a legal node that user Uk 
wants to access. Otherwise, the GWnode rejects the authentication process. 
4. After authenticating the user and the sensor node; the GW node informs the sensor node that 
user Ut is a legitimate user, therefore, the GW node computes message M3 = <Tg, C> and 
sends message M3 to the sensor node. Here, C = E SKgs [h(IDk)\\X g \\Tg] and Tg is the current 
timestamp of the GW node. 

(AP-4). Upon receiving the message M3 from the GWnode, the sensor node performs the following: 

1. Firstly, Sn validate the time Tg: Check if (Ts—Tg) > AT, if yes, then the sensor node rejects this 
request and terminates the process. Otherwise, it continues with the next step. Here, Ts is the 
current timestamp of the sensor node and AT is the defined time interval for the transmission 
delay. 

2. Now, with the knowledge of SK gs , the sensor node decrypts the sub-message 
C = DsKgs[h(IDk)\\Xg\\Tg*] and verifies whether Tg is equal to Tg* or not. If Tg is not verified 
then the process is terminated; otherwise, the sensor node considers the GW node a legal node 
and message M3 is generated by the original GWnode. 

3. Thereafter, Sn computes a session key SesK= h(h(IDk)\\Xg\\Sn\\Ts\\Tu) for secure communication 
between the sensor node and the user. Now, Sn generates a message M4 = <L, Ts>, and sends it 
to the user Uk. Here, L = E SesK [Xg\\Ts] and Ts is the current time stamp of the sensor node. 

(AP-5). While receiving the message M4 from the sensor node, the user Uk performs the following: 

1. Firstly, Uk validates the time Ts: Check if (Tu - Ts) > AT, if yes, then the sensor node rejects 
this request and terminates the process. Otherwise, it continues with the next step. Here, Tu is 
the current timestamp of the user Uk and AT is the defined time interval for the transmission 
delay. 

2. Now, the user Uk computes the session key SesK= h(h(IDk)\\X g \\Sn\\Ts\\Tu) and decrypts the 
sub-message L (i.e., D SesK [X g *\\Ts*]) and obtains X g * and Ts*. The user Uk checks X g = X g * 
and Ts = Ts*, if yes, then he/she believes that Sn is a real sensor node, otherwise not. 

3. Moreover, now the user Uk and Sn share the symmetric session key 
SesK= h(h(IDk)\\X g \\Sn\\Ts\\Tu) for performing further subsequent operation during a session. 

As a result, a legitimate user can communicate with real sensor nodes and access the network data. 

4.4. Password-Update Phase (PUP) 

The password update phase is invoked whenever user Uk wants to update his/her old password 
(PWk). The password update phase is described below: 

(PUP-1). User Uk inserts his/her smart card into the terminal and enters his/her identity (IDk) and 
password (PWk). 

(PUP-2). Firstly, the smart card validates the Uk$ entered IDk and PWk with the stored values by 
computing the following: Vk* = h(ID k \\h(r@PW k )). 
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(PUP-3). Verify whether V k * and V k are equal or not. If not, then reject the password update request; 
otherwise, proceed to the next steps. 

(PUP-4). Upon receiving the U k 's new password (PW knew *), the smart card computes 
V knew * = h(ID k \\h(r0PW knew *)) (PUP-5). Now, the smart card replaces V k with V knew *. 

After performing the above steps, the password update phase takes place successfully. The flow of 
the password update phase is shown in Figure 4. 

Figure 4. Flow of password update phase. 

Enter ID k and PW k 

• v k * = h(ID k \\h(r@PW k )) 

• Check V k * = V k , if yes, and then go to the next step. 

• User enter new password PW knew * 

• V knew *= h(ID k \\h(r@PW knew *)) 
Replace V k with V kneu * in the smart card. 



5. Nonmonotonic Cryptographic Protocol and RUASN Analysis and Verification 

This section presents, first, the nonmonotonic cryptographic protocol (NCP) [24], and second, 
formal analysis and verification of RUASN using the NCP protocol. 

5.1. Nonmonotonic Cryptographic Protocol 

This sub-section describes the nonmonotonic cryptographic protocol (NCP), which is also known as 
Rubin Logic. The NCP logic assumed that involved entities are trusted, and state of knowledge 
(i.e., current state of the protocol), and describes the authentication logic. In [24-34] the authors state 
that the NCP logic does not require any idealization step in specifying the protocol and is very close 
to real implementation. In Rubin logic the roles are assigned to entities, which are considered as 
independent processes. The nonmonotonic logic consists of two sets, global set and local set. 
These sets are directly applicable for protocol analysis, as follows. For more details the reader may 
refer to [24] and [35]. 

5.1.1. Global Set and Local Set 

Global set: The global sets are publically known to each principal in a protocol specification, and 
consist of principal set, rule set, secret set and observers set. These sets represent the information of 
the protocol and the contents of these global sets may get updated as the protocol progresses. 

> Principal set: This set represents the involved entities in a protocol, such as, 
Et = (Etj, Et2, Ets, , Et n }. 

> Rule set: This set contain inference rules for deriving new statements from existing statements, 
as described in Section 5.1.3. 
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> Secret set: This set holds all the protocol secrets, such as S = {Si, S 2 , S3,...., S n J, that exist at 
any given time in the system. 

> Observers set: This set holds all Si such that for each Si, Observers (Si) contains all the 
involved entities who could possibly know the secret Si in the system. 

> Local set: The local sets are not publically known, instead, they are private to each entity. The 
local sets consist of the following: 

> Possession set (Ei): This set holds all the data relevant to security, and that particular entity 
knows or possesses, which includes encryption keys, public keys, and other secrets that are not 
publically available. POSS(Ei) = (possi, poss2, psos3,...., possj. 

> Belief set: This set holds all the beliefs held by a principal. For example, the beliefs 
about freshness, and the beliefs about the possessions of other involved principals. 
BEL(Ei) = fbelfi, belf 2 , belf 3 ,...., belfj. 

> Seen set (Ei): This set holds plaintext message parts that Ei sees from messages sent across the 
network and it also contain a copy of the information as the Observers sets. 

> Behavior list (Ei): This is a list instead of a set, and the list elements are ordered. 
BL = {AL, bevi, bev 2 , bev3,..., bev n J, here AL is an action list, which consists of zero or many 
actions executed by Ei and bev n is a pair, i.e., (message, AL). The messages have two forms: 
Send (Ei, message) and Receive (Ei, message). Furthermore, after every Send(.) operation, the 
Observers set has to be updated using Update(.) operation. After each Update(.) operation the 
control pass to the next Receive(.) operation of principal, which is specified in the earlier 
Send(.) operation. 

> Haskeys set (Ei): The Haskeys set holds keys that Ei sees either because they are in the initial 
possession set, or they appear in a message sent across the network and are added to Ei's Seen set. 

5.1.2. Actions 

Actions are operations which play essential roles in the protocol specification. These actions control 
the state of knowledge and possessions for involved entities (such as, constructs messages, hashing, 
concatenation, encryption /decryption, secret generation, update, and abort operations, are few 
example). For a complete list of actions readers may refer to [24,35]. As per our requirements, we have 
defined the following actions, as shown below, which are directly adopted from [24-34]. The action is 
marked with ■ to show that it has been successful and moved to the next action. 

■ Hash(h(.);X) 
Condition: /?(.), X E POSS(Ei) 
Result: POSS(Ei): = POSS(Ei) U (h(X)} 
Description: This action is for hashing the data. 

■ XOR(X 1 ,X 2 ,X 3 , ,X n ) 

Condition: X h X 2 , X 3 , , X n EPOSS(Ei) 

Result: POSS(Ei): = POSS(Ei) 6 (X h X 2 , X 3 , ,X n J 

Description: This action is for XORing the data. 
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■ Encrypt(X, k) 
Condition: X, k EPOSS(Ei) 

Result: POSSiEi) : = POSS(Ei) U{{XJ k J 

Description: This action occurs when a principal encrypts data. If Ei possesses X and knows k then 
he/she can possess {X} k . 

■ Decrypt({Xh, k) 
Condition: {X} k , k EPOSS(Ei) 
Result: POSS(Ei):= POSS(Ei) U {X} 

Description: This action is performed when a principal decrypts data. If Ei possesses X, encrypted 
under k, and Ei knows k, then he/she (Ei) can possess X. 

■ Generate-Secret(X g ) 

Result: S: = S U{X g }, Observers(X g ) = {Ei}, 
POSSiEi) := POSS(Ei) U{X g , Ei}, 
BEL(Ei): = BEL (Ei) U#(X g ) 

Description: This action generates a secret for an entity, when needed. Thereafter, a new secret X g , 
is added to secret S and the Observers and Possession sets are updated. 

■ Concat(X } ,X 2 ,X 3 , .... ,X n ) 
Condition: X u X 2 , X 3 , ,X n EPOSS(Ei) 

Result: POSS(Ei) := POSS(Ei) U {X u X 2 , X 3 , X n j 
Description: This action concatenates the sub-messages. 

■ Check(X, Y) 
Condition: X, Y EPOSS(Ei) 

Result: Valid if X= = Y, otherwise invalid. 

■ Split(X) 

Condition: X contains X u X 2 , X 3 , , X n , X EPOSS(Ei) 

Result: POSS(Ei):= POSS(Ei) U {X h X 2 , X 3 ,....,X„j 

Description: This action is used to break the message into sub-messages. 

■ Send(Ej, X) 

Description: This action sends message X to Ej (i.e., Ei to Ej). 

■ Receive(Ej, X) 

Description: This action receives message X from Ej (i.e., Ei receives from Ej) and added to 
POSS(Ei). 

■ Update(X) 

Description: The purpose of update action is to update the Observers sets of all secrets that are sent 
on the network. 

■ Forget(X) 

Description: The purpose of forget action, when Ei no longer is in possession of X. 

■ Abort: 
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Description: The abort action takes place when a checked action could not satisfy the established 
conditions. Furthermore, this action aborts the system, if a protocol run is illegal. As a result, analysis 
reports a failure. 

5.1.3. Inference Rules 

A procedure which combines known facts and produce new fact is called an inference rule [24]. 
These inference rules are used to fact about beliefs during the protocol execution and are applied 
whenever they are relevant to protocol progress. The following inference rules are defined as per our 
requirements, which are directly adopted from [24,35]. 

Notation: 

X contains Y: Y appears as a sub-message of X. 
S: =f(S): S is replaced by the value of/(,S). 
Xfrom E: X is received from E. 

1. Message-meaning rule: 

(XJkfrom Ej E POSS(Ei),{Ei, EjJ^POSS(Ei) 
BEL (Ei): = BEL (Ei) U(X EPOSS (Ei)J 

2. Origin rule: 

XE POSS(Ei), X contains xi, Ej E Ob server s(xi) 
XifromEj EPOSS (Ei) 

3. Sub-message origin rule: 

XEPOSS (Ei), X containsfxi, X2J from Ej 
x 2 from Ej EPOSS(Ei) 

4. Sub-message freshness rule: 

#(x\) E BEL (Ei), (X contains X], Y contains X2} <^POSS (Ei) 
BEL(Ei): = BEL(Ei) U#(xl) ~ 

For a complete list of inference rules, readers may refer to [24] and [35]. 

5.2. RUASN Analysis and Verification Using Rubin-Logic 

This sub-section presents the analysis and verification of the proposed RUASN using well-known 
Rubin logic [24]. The NCP logic integrates protocol analysis with protocol specification and thus, 
beliefs of involved entities and current state of knowledge is updated as the protocol run progresses. 
For RUASN analysis and verification, only three phases are accounted, namely, registration phase, 
login phase and authentication phase, as follows. 

5.2.1. RUASN Specification 

For convenience, a list of some additional notations and symbols will be used in the RUASN 
analysis and verification, as shown in Table 2. 
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Table 2. Additional notations. 



Notation 


Description 


U, GW and Sn 


User, Gateway and Sensor, respectively entities 


XI ^X2 


XI replace by X2 


Phase - 1 


Registration phase 


Phase - II 


Login phase 


Phase - III 


Authentication phase 



As per the NCP logic, the specifications of RUASN are the following: 
Global sets: It consists of four sets: 

■ Principal set: P = U, GW, and Sn. Here, U is the initiator of RUASN. 

■ Rule set: Inference rules are defined in Section 5.1.3. 

■ Secret set: (PWk, r, x, y, I, SK gs J 

■ Observers set: 

Observers (PW k ,r): {UJ 
Ob server s{x, y, I): (GWJ 
Observers (SK gs ): {GW, Sn} 

Local sets: The local sets consist of U, GW, and Sn and are as shown in Table 3. 



Table 3. Local Sets for RUASN. 



1. Entity U 


(1.3) Phase -III 


POSS(U) = (PW k ,{ID k },r} 


■ Receive(Sn, (L, Ts j)^M4 [Here L=E SesK [X g \ \Ts]] 


BEL(U) = (#(PW k ), #(r)} 


- Split({L, Ts}) 


BL(U) = 


■ Check-freshness (Tu~Ts)>AT, if yes, then aborts. 




' Hash(h(.);Concat(Hash(h(.);ID k ,X g ,Sn,Ts, Tu)))^SesK 


(1.1) Phase -I 


■ Decrypt({L} SesK and obtain (X g *, Ts*) 




- Check(X g , X g *) 


■ Hash(h(. ); XOR(r, PW k ) )^Pass 


' Check(Ts, Ts*) 


' Send(GW, (ID k , Pass}) 




' Update({ID k ,PW k ,rJ) 


2. Entity GW 


- Receive (GW, (A k , B k , V k , h(.),E k , D k J) 






POSS(GW) = (x, y, I, and SK gs J 


(1.2) Phase -II 


BEL(GW) = l#(s), #(y), #(l),#(SK gs )j 




BL( GW) = 


■ Hash(h(. ); Concat(ID k , Pass ))^V k * 




' Check(V k *, V k ) 


(2.1) Phase -I 


' Hash(h(.); A k )^H k 




■ Generate-secret(X g ) 


■ ReceivefU, {ID k , Pass}) 


■ Concat(Tu, H k )^>Tk Tu 


■ Generate-secret number(l) 


' Encrypt({Concat(Hash(h(.);ID k ,Sn, X g ))} TkTu )^AID k 


' Hash(h(.); XOR(ID k , l))^A k 


' Send(Sn,{B k ,AID k ,Tu})^>Ml 


■ Encrypt({Concat(ID k , l)} x )^B k 


' Update(ID k , X g , Sn, Tu) 


■ Hash(h(.);Concat(ID k , Pass))^>V k 




' SendfU, {A k , B k , V k , h(.)J) 




■ Updated A k , B k , V k , h(.), Pass}) 




* Forget({A k ,B k , V k , Pass J) 
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Table 3. Cont. 



(1 0\ Phncf* TT 
\L.L) r lldac — 11 




\j.L ) r lldac — 1 


MA 




MA 


(0 X\ Phncp TTT 
yZ,.jj rlld.sC — 111 




\D.Z.) r lldsC — 11 


■ TforoivoiKn /M? Cil Mi h> ro M? — R ATD Tu TV ? w / 




J?t>rt>h?t>/TI /Mil) f I f/>r/> Ml — {R ATD Tu\l 

ilcCct Vc( C, \1V11 f ) [ ll& re IVll — ( D kj r\lLJ kj 1 U ) j 


opiLiylvlZ, , (^/y 


m 


<\n1it(M1 1 


■ VnlitfM? 1 
opiLlylvlZ. ) 


■ 


\^nccK-j rcsnncss (i a iuj ij yes, man auufis. 


■ li s> r^lz Ti'/y c/jiitfir / / / / — Tr I ^> A T^ i / a i/y v fiT/y n nrtn vf r 
L/HcCA,-/ / CiiWicJii (^5 J- b / — j J^^f If Wit LIUUf IS. 


■ 


MAC( fCrmmt(R, AID, Tu Tv 9m 1 J™, 1 4-/0 

/ \^Uncai\D kj rilLJ k ,l U,l ci,OflJ/ SKgs) 


■ MAC(iR, ATD, Tu Tc Vnl^ 1— vD' 


■ 


Kpnr](nW IM? Dl\ fffw Ml — (R, ATD, Tu 9m 1 / 




■ 


kj p 'Liu, i t:\ivi z, , (^/y 


■ Tivrrvritf fR I 1 nvirl nhtnin ATT) ' I'l 






liaSfl\ il\ .J, ll~sk } 




n Phncp TTT 
^J.J ) r lldsC — 111 


nasn\n\. ),A.\ji\\LLJ] l , t ^/i^- 






rlil&ily il\ ,),r\ k ) '///,- 


■ 


Rprphyp(nW (To C ] 1 


■ Concat(Tu, H k )—>Tk Tu 


■ 


Split(Tg, C) 


■ Decrypt( {AID k } TkTu ) and obtain [h( ID k *), Sn*, X g ] 


■ 


Check-freshness (Ts - Tg) >AT, if yes, then aborts. 


\^necK\n\iu k j, n\iu k jj 


■ 


r\0rir\int( fC\ 1 rind nhtnin [hfTTi Y Tci%\1 

ueLrypi\\\^ j SKgs) ana ooiain [n\iu k , a^, ig jj 


■ L-/icC/C( on , OH,/ 


■ 


\^necK\ig , ig) 


■ Encrypt({Concat(Hash(h(.);ID k ), X gt Tg)} SKgs )^C 


■ 


Hash(h(.);Concat(Hash(.);ID kj X gJ Sn, Ts, Tu))^Ses K 


Ot-fLLl\Oflf I Ig/J ^IVIO 


■ 


lifter ypi\ i *^>uficu,i\ -A-gi J- s J/SesK) *-* 


' Update(C, Tg) 


■ 


Send(U, {L, Ts})^M4 




■ 


Update(L, Ts) 


3. Entity Sn 






POSS(Sn) = {SKgs,Sn } 






BEL(Sn) = (#(SKgs), #(Sn)} 






BL(Sn) = 







NA: Not Applicable. 



5.2.2. RUASN Analysis and Verification 

Once the protocol specification has been completed, the analysis begins. This subsection analyzes 
the proposed scheme, which is very close to real implementation. We have considered three phases, 
namely, registration phase, login phase and authentication phase, where three entities are involved in 
the protocol progress [i.e., user(U), gateway(GW) and sensor(Sn)]. 

As we can see the Phase-I in Table 3, the entity U is the initiator of the protocol, so user behavior 
list actions are executed first [i.e., BL(U)]. The first three actions are executed in BL(U) and once the 
Update action is performed, the next actions have to be executed in the GW behavior list, since the 
Send operation (i.e., Send(GW,{IDu,Pass})) is specifies GWlist, as shown below: 

■ Hash(h(.); XOR(r, PW k ))^Pass 

■ Send(GW, (ID k , Pass}) 

■ Update({ID k , PW k , r}) 

Now GW's Phase-I actions behavior lists takes place [i.e., BL(GW)] and first seven actions are 
executed in BL(GW). After the Update operation, the next operations have to be executed in the user's 
behavior list as below, the Send operation [Send(U, {A k , B k , V k , h(.),E k ,D k })] assigned to U. Then the 
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Forget operation removes all values (i.e., A k ,B k ,V k ,E k ,D k ) from the local possession set [POSS(GW)], as 
shown below: 

■ Receive(U, {ID k , Pass}) 

■ Generate- secret number(l) 

' Hash(h(.); XOR(ID k , l))^A k 

■ Encrypt({Concat(ID k , l)}x)—*Bk 

■ Hash(h(.); Concat(ID k ,Pass))—>V k 
' Send(U, {A k ,B k ,Vk, h(.),E h D k }) 

■ Update({A k , B k , V k , h(.),E k ,D k , Pass}) 

■ Forget({A k , B k , V k , E k ,D k , Pass}) 

It is clear that after the end of the user and the gateway Phase-I, there is no significant change in 
their global sets, whereas, in the local sets of both entities (i.e., user and gateway) have are some 
changes, as shown: 

POSS(U) = {ID k , PW k , r{A k , B k , V k , h(.),E k ,D k }} 

BEL(U) = (#(PW k )} 

POSS(GW) = {x,y,l,SK gs } 

BEL(GW) = (#(x), #00, #(0, #(SK gs )} 

This is the end of Phase-I. 

Subsequently, Phase-II begins and two entities (i.e., User and Sensor) are involved in this phase. 
As, U is the initiator of the protocol, and thus next operations have to be executed in U's behavior list 
(BL(U)), as follows: 

■ Hash(h(.); Concat(ID k ,Pass))—>-V k * 

■ Check(V k *, V k ) 

■ Hash(h(.); A k )^H k 

■ Generate-secret(X g ) 

■ Concat(Tu, H k )—>TkTu 

■ Encrypt({Concat(Hash(h(.);ID k , Sn, X g ))} T kTu)— > -AID k 

■ Send(Sn,(B k ,AlD k ,Tu})^Ml 

■ Update(ID k , X g , Sn, Tu) 

After the Update operation, the following changes will takes place in BL(U). 

POSS(U) = {ID k , V k , Xg, TkTu, AID k , A k , H k } 
BEL(U) = (#(X g ), #(TkTu)} 

The global set of entity U will change with the following: 
Observers(X g ): {U} 
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The next operations have to be executed in Sn's behavior list [BL(Sn)], because the above Send 
operation (i.e., Send(Sn,{Bk, AIDk, TuJ)^Ml) specifies Sn. Upon receiving the Receive operation 
(i.e., Receive (U,{M1J)), Sn does the following: 

■ Receive( U, {Ml J) /Here Ml = (B k , AID k , Tu) ] 

■ Split(Ml) 

■ Check-freshness (Ts - Tu) >AT, if yes, then aborts. 

■ MAC({Concat(B k , AID k , Tu, Ts, Sn) }SK gs )^Q 

■ Send(GW, (M2, QJ) /Here M2 = (B k AID k , Tu, Ts, Sn) ] 

■ Update(M2, Q) 

The Update operation makes the following changes in BL(Sn): 

POSS(Sn) = {B k , AID k , Tu, Ts, Sn, Q, SK g J 
BEL(Sn) = (#(SK gs )} 

As we can see the next operations will be executed in GW's behavior list [BL(GW)], as the above Sn 
Send operation (i.e., Send(GW,(M2, QJ)) specifies to GW. Upon receiving the Receive operation 
[i.e., Receive (Sn,{M2,QJ) ] from Sn. Now, BL(GW) performs the following operations: 

■ Receive(Sn, {M2, 2/)/Here M2 = B k , AID k , Tu, Ts, Sn ] 

■ Split(M2, Q) 

■ Split(M2) 

■ Check-freshness (Tg - Ts) > AT, if yes, then aborts. 

■ MAC({B k , AID k , Tu, Ts, SnJ SKgs )^Q' 

■ Check(Q, Q') 

■ Decrypt({B k } x ) and obtain [ID k , V] 

■ Hash(h(.);ID k r ) 

■ Hash(h(.); XOR(ID k ', l 1 )) -^A k ' 

■ Hash(h(.);Ak)^>H k ' 

■ Concat(Tu, H^—tTkTu 

■ Decrypt({AID k J TkTu ) and obtain/ h(ID k *), Sn *, X g ] 
' Check(h(ID k *), h(ID k y) 

■ Check(Sn*, Sn) 

■ Encrypt((Concat(Hash(h(.); ID k ), X g , Tg)JsK g s)— >t C 

■ Send(Sn, { Tg, C })^M3 

■ Update( Tg, C) 

After applying Update operation the following changes take place in the gateway entity: 

POSS(GW) = (ID k , H k , X g , SK gs , Sn, I, x, y, 

(B k , AID k , Tu, Ts, Sn} and (MAC{B k , AID k , Tu, Ts, SnJ skgs Jfrom Sn} 
BEL(GW) = (#(SK gs ),#(x), #00, #(D,#(Tg)} 

Subsequently, the global set of entity GWwill change with the following: 
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Observers(X g ): fU, GW} 

The next operations have to be executed in Phase-Ill of BL(Sn), because the above Send 
operation [i.e., Send(Sn, (Tg, C})] specifies Sn and upon receiving the Receive operation 
[i.e., Receive(GW,{Tg, C})] Sn will do the following: 

■ Receive(GW, {Tg, CJ). 
' Split(Tg, C). 

■ Check-freshness (Ts - Tg) >AT, if yes, then aborts. 

■ Decrypt({ C} S K gs ) and obtain [ h(lD k , X g , Tg *) ]. 

■ Check(Tg*, Tg). 

■ Hash(h(.); Concat(Hash(.); IDu, X g , Sn, Ts, Tu))^>SesK. 

■ Encrypt((Concat(X g , Ts)Js eS K)— > -L. 

■ SendiU, (L, TsJ)^M4. 

■ Update(L, Ts). 

After applying the Update operation on the received message, the following changes will occur in 
the Sn entity: 

POSS(Sn) = { SK gs , Ses K , Ts{ID k , X g , TgJSK gs from GW} 
BELiSn) = (#(SK gs ), #(Ses K ), #(X g ), #(Ts)j 

The following changes will occur in the global set of the entity Sn: 

Observer s(X g ): (U, GW, Sn} 
ObserversiSesx): {Sn} 

Thereafter, the next operations have to be executed in Phase-Ill of BL(U). Since the above Send 
operation [i.e., Send(U, (L, Ts})] specifies U entity and5L(L0 perform the following actions: 

■ Receive(Sn, {L, Ts})^M4 /Here L=ESes K [X g \\ Ts]] 

■ Split({L, Ts}) 

■ Check-freshness (Tu - Ts) >AT, if yes, then aborts. 

■ Hash(h(.); Concat(Hash(h(.); ID k , X g , Sn, Ts, Tu)))^>SesK 

■ Decrypt{{L}sesK) and obtain (X g *, Ts*) 

■ Check(X g , X g *) 

■ Check(Ts, Ts*) 

In the Check operation U's verify X g , which was generated by him/her and verify time- stamp Ts. If 
the Check operations are successful then the following changes will occur in BL(U): 

Local set: 

POSS(U) = {X g , Sn, Ses K } 
BEL(U) = {#(Xg),#(Ses K )} 

Now finally the global set contains: 
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Observers(X g ): fU, GW, Snj 
Observers(SesK): fU, Snj 

The application of Rubin logic in our framework is illustrated above, which closely resembles the 
structure of real user authentication system in wireless sensor network. Our specifications are designed 
to resemble actual implementation as much as possible. 

6. Evaluation of RUASN 

In this section, we present our proposed RUASN evaluation in terms of security analysis (i.e., can it 
resist against several well-known attacks), and efficiency analysis in terms of computational and 
communication cost. Finally, we show a functionality comparison with existing schemes. 

Before evaluating the RUASN, it is assumed that an adversary may have full control over the 
network with following capabilities: 

• An adversary may intercept all the messages (i.e., Ml, M2, M3 and M4) at any time. 

• He/she may intercept, delete or modify, and insert any message over the public network. 

• In addition, we assume that an adversary may hack either passwords or steal user Uu's smart 
card, extract secrets [36,37], but cannot do both at the same time [38]. 

• As per the current literature, extracting secrets from the smart card memory is quite difficult 
and some smart card manufacturer companies provide countermeasures against risk of side 
channel attacks [18,36]. Furthermore, [39] has proposed countermeasures against power 
analysis attacks. 

Based on above assumptions, an attacker may execute certain attacks to breach the proposed 
RUASN scheme. 

6.1. Security Analysis 

In this subsection, we analyze the security of proposed RUASN and further compare with the M.L, 
Das [18], He et al. [21], Wong et al. [10], and Vaidya et al. [14] schemes. We prove that the presented 
scheme can resist certain popular attacks that are found in the existing wireless sensor network 
literature. 

Mutual Authentication. Our scheme provides mutual authentication, where all entities 
(i.e., user, gateway and sensor node) are mutually authenticating each other. More specifically, when 
the GW node receives the message M2 (i.e., <Bt, AID/,, Tu, Ts, Sn>) and Q, it can make sure that the 
user message Ml (i.e., <Bu, AIDk, Tu>) is included in the sensor node message M2. When the sensor 
node receives message M3 (i.e., <Tg, C>), it ensures that this message is generated by the GW node. 
Furthermore, when the user receives message M4 (i.e., <L, Ts>), he/she can also confirm that this 
message is generated by the sensor node. Hence, mutual authentication is achieved. 

User anonymity. In our scheme, user anonymity Uk is preserved at the registration phase by 
computing Au = h(IDk® I) and Bk = E x [IDk\\l]. In addition, it is impossible to extract IDt from the AIDk, 
which is E T kTu[h(IDk)\\Sn\\X g ] , and it is also very difficult to revert the h(IDk). So, our scheme can 
preserve user anonymity. 
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Session Key Establishment. The proposed scheme provides session key establishment after the 
authentication phase. A session key [i.e., SesK= h(h(IDk)\\X g \\Sn\\Ts\\Tu)] is set up between the user 
and the sensor node for secure subsequent communication. The Ses K will be different for each login 
session and cannot be replayed after the time expires. More importantly, the user and the sensor node 
can securely execute encryptions and decryptions by using of Sesx and hence, achieve confidentiality 
for the subsequent messages. 

Confidentiality. Our proposed scheme provides adequate confidentiality to their messages (such as, 
E T kTu[h(IDk)\\Sn\\X g ] , E SK gs[h(IDk)\\X g \\Tg] and E SesK [X g \\Ts]). More precisely, these messages are 
confidential from any attacker. 

Replay Attacks. Our scheme is resistant to replay attacks [42], because the authenticity of messages 
<M1>, <M2>, <M3> and <M4> are validated by checking the freshness of four timestamps 
((Ts - Tu) > AT, (Tg - Ts) > AT, (Ts - Tg) > AT and (Tu - Ts) > AT). Let's assume an 
intruder intercepts a login request message Ml and attempt to access the sensor node by replaying the 
same message (Ml). The verification of this login attempt fails, since the time difference expires 
(i.e., (Ts - Tu) > AT). Similarly, if an intruder intercepts a valid message M2 (i.e., <Bk, AIDk, Tu, Ts, 
Sn>) and attempts to replay it to the GW node, the verification request will fail at the GW node 
because of the time difference expires again (i.e., (Tg - Ts) > AT). Thus, our framework is secure 
against replaying of messages. 

User Impersonation Attacks. An attacker cannot impersonate the user. Suppose an attacker forges a 
login message <Bk, AIDk, Tu>. Now, he/she will again try to login into the system with the modified 
message <Bk*, AIDk*, Tu>, since, the fake AIDk* will not be verified at the GW node, and the GW 
node cannot get the original sub-message (h(IDt*)\\Sn*J by decrypting AIDt*. Therefore, it is not 
possible to impersonate the user. 

Gateway Impersonation Attacks. As long as an attacker does not possess the secret key SK gs , 
he/she cannot impersonate the server and cannot cheat the sensor node. Hence, it frustrates attackers to 
generate the valid message M4 to the sensor node. 

Insider Attacks. It is possible in a real-time environment, when the gateway manager or system 
administrator can use the user password PWk (e.g., weak password) to impersonate the user Uk through 
any other network gateways [20,21,40]. In this case, our scheme does not give any room for privileged 
insiders, since, in the registration phase, the user C/^is passing h(r®PWk) instead of the plain password. 
Thus, the insider of the GW node cannot get PWk easily [20,21]. Here, r is a sufficiently high entropy 
number, which is not revealed to the GW node. Furthermore, the proposed scheme does not store any 
verifier table and can resist the insider attacks [41]. 

Stolen-Verifier Attacks. The stolen-verifier attack scenario is not applicable to our scheme, as we 
are not using any password/verifier table. 

Offline-Password Guessing Attacks. Our scheme is free from any password verifier table, so 
password guessing attacks are not feasible. In the login phase, passwords are not simply transmitted, 
instead, they are transmitted with some other secret (i.e., Vk = h(IDk\\ h(r(DPWk))), which makes it 
difficult to guess the user's password. 

Man-in-the-Middle Attacks. An attacker may attempt a man-in-the-middle (MIMT) attack by 
modifying the login message <Bk, AIDk, Tu> into <Bk*, AIDk*, Tu*>. However, this malicious 
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attempt will not work, as the false AIDk* will not be verified at the GW node and the GW node cannot 
get the original sub-message {h(IDk*)\\Sn*J by decrypting AIDk*. Thus, man-in-the-middle attacks are 
not applicable to the RUASN scheme. 

Secure Password Update. In the secure password update phase, our framework first verifies the old 
IDk, PWt and only then requests a new password. Otherwise, it rejects all password update requests. 
Therefore, our framework updates passwords securely. 

Gateway Secret Key Guessing Attacks. In our scheme, the gateway secret keys (x and y) are very 
long and possess high entropy. In addition, neither x nor y are transmitted in plain text over the public 
channel, instead x and y are mainly used as a key to encrypt data (Ex[IDk\\l], SKgs = h(Sn\\y)). Hence, 
it is very difficult to guess both the gateway master keys, x and y. 

6.2. Efficiency Analysis 

In this subsection, we present an efficiency analysis (i.e., computational cost and communication 
cost) of our scheme and compare it with existing schemes (Das [18], He et al. [21], Wong et al. [10] 
and Vaidya et al. [14]) for wireless sensor networks. The evaluation parameters are shown below: 

H: performing one-way hash function. 

5: symmetric cryptosystem. 

MAC: the time for performing a MAC. 

Computation Cost: RUASN adopts low-cost computations like a one-way hash function and 
symmetric cryptosystem, which is acceptable for WSNs and provides more security features with 
reasonable computational costs. As we can see the computation cost comparisons of our scheme and 
other related scheme are summarized in Table 4. It is easy to see that, in the registration phase 
(i.e., one-time job) our scheme requires 4H and one symmetric cryptosystem, whereas in [21] and [14] 
6H and 4H are required, respectively. Furthermore, in the login and authentication phase the proposed 
scheme requires 9H, 6S and 2MAC, whereas, [18,21] and [14] require 9H, 11H and 9H, respectively. 
This is due to fact that in order to provide more functionality such as mutual authentication, user 
anonymity, message confidentiality, and secure session key establishment, more computational costs 
are incurred. 



Table 4. A performance comparison of RUASN with the existing schemes. 



Schemes 


Registration 


Login and Authentication 


User 


Gateway 


User 


Gateway 


Sensor node 


Das [18] 




3H 


4H 


4H 


IH 


Daojing et al. [21] 


IH 


5H 


5H 


5H 


IH 


Wong et al. [10] 




3H 




IH 


3H 


Vaidya et al. [14] 


2H 


2H 


3H 


3H 


3H 


Proposed RUASN 


IH 


3H + 1S 


4H + 2S 


4H + 2S + 1MAC 


1H + 2S + 1MAC 



Communication Cost: It is easy to visualize from Figure 3 that RUASN requires four message 
exchanges for the whole communication and confirmation of all entities (i.e., user, gateway and 
sensor), which is practical for real-time applications. 
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6.3. Functionality Analysis 

From Table 5, it is easy to see that the RUASN has more security functionality as compared to other 
existing proposed protocols for WSNs. Our scheme has robust security features such as mutual 
authentication between all entities (i.e., user, gateway and sensor), user anonymity, confidentiality, 
secure session key establishment, secure password update phase and secure against insider attacks, and 
it meets all the requirements of Liao et al. [27], which are discussed in Section 3. 



Table 5. Functionality comparison of RUASN with existing schemes. 



Security Features 


Das 
[18] 


He et al. 
[21] 


Wong et al. 
[10] 


Vaidya et al. 
[14] 


Proposed 
RUASN 


Provides mutual authentication 


No 


No 


No 


Yes 


Yes 


Provide user privacy 


No 


Yes 


No 


Yes 


Yes 


Confidentiality 


No 


No 


No 


No 


Yes 


Secure Session key agreement 


No 


No 


No 


No 


Yes 


Secure password update phase 


No 


Yes 


No 


Yes 


Yes 


Replay attack 


Yes 


Yes 


Yes 


Yes 


Yes 


No password tables stored inside 
the gateway 


Yes 


Yes 


No 


No 


Yes 


No verification table stored inside 
the gateway 


Yes 


Yes 


No 


No 


Yes 


Password is not be transmitted as 
plaintext 


No 


Yes 


No 


Yes 


Yes 


Resist insider-attacks 


No 


Yes 


No 


Yes 


Yes 


Password is not exposed to the 
gateway administrator 


No 


Yes 


No 


No 


Yes 


Secure against gateway secret key 
guessing attack 


No 


No 


No 


No 


Yes 


Secure against password guessing 
attack 


No 


Yes 


No 


Yes 


Yes 



As we have seen in the above analysis, it is clear that the RUASN is a robust user authentication 
protocol and provides more security services at less cost. 



7. Conclusions 

In real-time, as the sensor networks themselves offer services to users; it is necessary to control 
who is accessing the information and if it he/she allowed to do so. Therefore, access control is an 
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imperative requirement for wireless sensor networks to protect the data access from unauthorized 
parties. 

In this regard, we have proposed a robust user authentication framework for wireless sensor 
networks, RUASN, which is based on a two-factor approach (i.e., password and smart card) by 
exploiting the advantages of cryptographic hash functions and crypto systems. We have shown a 
security analysis and performance analysis of the RUASN framework and compared it with recent 
existing schemes. Through analysis, we show that our scheme is more robust against many popular 
attacks, which are prominent risks for wireless sensor network and that it provides many security 
services (i.e., mutual authentication, user anonymity, confidentiality, secure session key and allow 
users to choose/updates their password ) at reasonable computational costs. 
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